For what it's worth, ISS RealSecure purchased NetworkICE for the sole reason
of getting their hands on multiple pattern matching and heuristic tree
pruning with regards to where to look.
So ISS RealSecure v6.5 now doesn't search the whole packet for long strings
of "%20" for example, or "/././././cgi-bin/*.phf" Instead it looks soleley
in the packet payload.
By the same token, it won't look for solitary FIN packets out of sequence in
the packet payload, either.
These were both features of NetworkICE - and are part of the improved
capability derived from Network Associates Sniffer Pro (the authors of
Sniffer Pro went on to form NetworkICE after selling out).
The advances that both Snort and NetworkICE bring to the table include not
only searching in multiple parts of the packet simultaneously and
intelligently matching different vulnerabilities against the parts of the
packet that they can be found, but also a re-written packet driver that
pulls packets in promiscuous mode at much higher speed than the OSes can.
Cheers!
Nathan Dornbrook
Head of Network Security
Royal Bank of Scotland
Regus House, 10 Lochside Place
Edinburgh Park, Edinburgh
EH12 9RG
* 0131-523 9299
e* dornbrn@rbos.co.uk